{"id":33199,"date":"2022-12-23T08:46:36","date_gmt":"2022-12-23T13:46:36","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=519431"},"modified":"2022-12-27T09:44:12","modified_gmt":"2022-12-27T14:44:12","slug":"cyber-security-today-dec-23-2022-a-new-attack-vector-against-exchange-and-more-unprotected-data-found-on-aws-s3-buckets","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-dec-23-2022-a-new-attack-vector-against-exchange-and-more-unprotected-data-found-on-aws-s3-buckets\/","title":{"rendered":"Cyber Security Today, Dec. 23, 2022 \u2013 A new attack vector against Exchange and more unprotected data found on AWS S3 buckets"},"content":{"rendered":"<p data-ar-index=\"0\">A new attack vector against Exchange and more unprotected data found on AWS S3 buckets.<\/p>\n<p data-ar-index=\"1\">Welcome to Cyber Security Today. It\u2019s Friday, December 23rd, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"2\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/25410234\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"3\"><strong>The Play ransomware gang<\/strong> has apparently found a new vulnerability to exploit on Microsoft Exchange servers. <a href=\"https:\/\/www.crowdstrike.com\/blog\/owassrf-exploit-analysis-and-recommendations\/\" rel=\"noopener\">According to researchers at CrowdStrike,<\/a> the attackers are going through Outlook Web Access \u2014 also known as OWA \u2014 to get at Power Shell\u2019s remote access service. This gets around Microsoft\u2019s recent mitigations for the ProxyNotShell vulnerability. To defend against this suspected new attack CrowdStrike says Exchange administrators should install the latest patches on their servers. They should also follow Microsoft\u2019s recommendations to disable remote PowerShell for non-administrative users. And they should monitor servers for signs of exploitation in IIS and RemotePowerShell logs.<\/p>\n<p data-ar-index=\"4\"><strong>Separately,<\/strong> administrators whose organizations use the cloud-based Exchange Online service were given<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/basic-authentication-deprecation-in-exchange-online-time-s-up\/ba-p\/3695312\" rel=\"noopener\"> a final warning this week that Microsoft is turning off basic authentication in January<\/a>. They need to switch to Exchange Online\u2019s modern authentication service. Any user trying to connect through basic auth in January will get an error message. The reason for killing basic authentication is it\u2019s susceptible to password spray attacks. Microsoft has been warning about this coming change for some time. Administrators should have switched to Microsoft\u2019s modern auth by now.<\/p>\n<p data-ar-index=\"5\"><strong>Still dealing with Exchange<\/strong>, a Swiss-based cybersecurity firm called Prodaft <a href=\"https:\/\/www.prodaft.com\/resource\/detail\/fin7-unveiled-deep-dive-notorious-cybercrime-gang\" rel=\"noopener\">put out a background report<\/a> on a financially-motivated ransomware group researchers call FIN7. It often takes advantage of Exchange vulnerabilities. Since 2021 it has been using an automated attack system to find and run exploits on Exchange servers. Other tactics include buying stolen authentication for Windows remote desktop access deployments and VPNs. This particular group goes after high-revenue organizations.<\/p>\n<p data-ar-index=\"6\"><strong>The personal information<\/strong> of over 100,000 students who used publisher McGraw Hill\u2019s online education platform could have been copied by anyone over the summer. <a href=\"https:\/\/www.vpnmentor.com\/blog\/report-mcgraw-hill-breach\/\" rel=\"noopener\">According to researchers at vpnMentor,<\/a> the data was stored in two misconfigured Amazon Web Services buckets. This is just the latest in a series of discoveries of poorly-protected databases left open on the internet. Files included names, email addresses and grades of users from the University of Toronto, McGill University, UCLA, the University of Michigan and others institutions. Also on the servers was source code belonging to the publisher. The thing is, McGraw Hill took a long time to respond to the discovery. vpnMentor says it first left a message with the company on June 13th. After three more unanswered messages the researchers left warnings with the U.S. Computer Emergency Response Team and Amazon, hoping they would contact the publisher. The data on the buckets were finally removed over a month later, on July 20th. Organizations need to have communication processes to respond to complaints like this. Otherwise there will be new stories that make it look like the organization isn\u2019t organized.<\/p>\n<p data-ar-index=\"7\"><strong>Finally,<\/strong> another warning has gone out for Android users to be careful of the apps the download. <a href=\"https:\/\/blog.group-ib.com\/godfather-trojan?utm_source=press_release&amp;utm_campaign=godfather-blog-en&amp;utm_medium=organic\" rel=\"noopener\">Researchers at Group-IB have discovered<\/a> the return of a trojan malware called Godfather that steals the passwords of users who try to log into banks in the U.S., Canada, the U.K., France, Germany and other countries. It\u2019s back after disappearing in June. Victims don\u2019t realize they\u2019re giving away their credentials because they\u2019re logging into a fake screen superimposed over the bank\u2019s real page. Crooks often distribute mobile malware through utility apps such as currency converters, and, in this case, a fake version of Google Protect.<\/p>\n<p data-ar-index=\"8\">Later today the Week in Review edition will be out. Guest commentator Terry Cutler of Cyology Labs will be here to comment on vulnerabilities in Samba, the seizure of DDoS attack sites and more.<\/p>\n<p data-ar-index=\"9\">Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.<\/p>\n<p data-ar-index=\"10\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-dec-23-2022-a-new-attack-vector-against-exchange-and-more-unprotected-data-found-on-aws-s3-buckets\/519431\">Cyber Security Today, Dec. 23, 2022 \u2013 A new attack vector against Exchange and more unprotected data found on AWS S3 buckets<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode reports on protecting Exchange Servers and Exchange Online, a report on the FIN7 ransomware gang and more bad An<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-33199","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=33199"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33199\/revisions"}],"predecessor-version":[{"id":33277,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/33199\/revisions\/33277"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=33199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=33199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=33199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}